#!

###########################
# System Settings Global
###########################
#
# To increase security SSLv3.0, TLS 1.0 as TLS 1.1 can be disabled
# for the admin access. By default TLS 1.1 as 1.2 are activated.
#
#set admin-https-ssl-versions tlsv1-2
#
config system global
set admin-concurrent enable 
set admin-console-timeout 0
set admin-https-banned-cipher rc4 low 
set admin-https-pki-required disable 
set admin-https-redirect disable 
set admin-https-ssl-versions tlsv1-1 tlsv1-2 
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-login-max 100
set admin-maintainer enable 
set admin-port 80
set admin-reset-button disable 
set admin-scp disable 
set admin-server-cert Fortinet_Factory 
set admin-sport 4443
set admin-ssh-grace-time 120
set admin-ssh-password enable 
set admin-ssh-port 22
set admin-ssh-v1 disable 
set admin-telnet-port 23
set admintimeout 15
set alias $SerialNum
set allow-traffic-redirect enable 
set anti-replay strict 
set arp-max-entry 131072
set auth-cert Fortinet_Factory 
set auth-http-port 1000
set auth-https-port 1003
set auth-keepalive disable 
set auto-auth-extension-device enable 
set av-affinity 0 
set av-failopen pass 
set av-failopen-session disable 
set batch-cmdb enable 
set block-session-timer 30
set br-fdb-max-entry 8192
set cert-chain-max 8
set cfg-save automatic 
set check-protocol-header loose 
set check-reset-range disable 
set clt-cert-req disable
set compliance-check disable
#set compliance-check-time 00:00:00  
set cli-audit-log enable 
set csr-ca-attribute enable 
set daily-restart disable 
set device-identification-active-scan-delay 90
set device-idle-timeout 300
set dh-params 2048 
set dst enable 
set endpoint-control-fds-access enable
unset endpoint-control-portal-port
set explicit-proxy-auth-timeout 300
set fds-statistics enable 
set fgd-alert-subscription advisory latest-threat 
set fortiextender disable 
set fortiextender-data-port 25246
set fortiservice-port 8013
set gui-certificates enable 
set gui-custom-language enable 
unset gui-device-latitude 
unset gui-device-longitude
set gui-display-hostname enable 
set gui-ipv6 disable 
set gui-lines-per-page 50
set gui-theme green 
set gui-wireless-opensecurity enable 
set honor-df enable 
set hostname mydomain1-sg0e0 
set igmp-state-limit 3200
set ip-src-port-range 1024-25000
set ipsec-asic-offload enable 
set ipsec-hmac-offload enable 
set ipv6-accept-dad 1
set language english 
set ldapconntimeout 500
set lldp-transmission disable 
set log-uuid extended 
set login-timestamp enable 
set management-vdom root 
set max-route-cache-size 0
set miglog-affinity 0 
set miglogd-children 0
set ndp-max-entry 0
set optimize antivirus 
set phase1-rekey enable 
set policy-auth-concurrent 0
set post-login-banner disable 
set pre-login-banner disable 
set private-data-encryption disable 
set proxy-worker-count 2
set radius-port 1812
set reboot-upon-config-restore enable
set refresh 0
set registration-notification enable 
set remoteauthtimeout 5
set reset-sessionless-tcp disable 
set revision-backup-on-logout enable 
set revision-image-auto-backup enable 
set scanunit-count 3
set send-pmtu-icmp enable 
set service-expire-notification enable 
set snat-route-change disable 
set special-file-23-support disable 
set sslvpn-cipher-hardware-acceleration enable 
unset sslvpn-kxp-hardware-acceleration
set sslvpn-max-worker-count 3
set sslvpn-plugin-version-check enable 
set strict-dirty-session-check enable 
set strong-crypto enable
set strong-crypto enable 
set switch-controller enable 
set switch-controller-reserved-network 169.254.0.0 255.255.0.0
set sys-perf-log-interval 5
set tcp-option enable
#
# Session tuning parameter "default":
# 
#set tcp-halfclose-timer 120
#set tcp-halfopen-timer 10
#set tcp-timewait-timer 1
#set udp-idle-timer 180
#
# Session tuning parameter "tuned":
# 
set tcp-halfclose-timer 10
set tcp-halfopen-timer 10
set tcp-timewait-timer 0
set udp-idle-timer 180
#
# Set timezone with correpsonding number:
#
# 26    (GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna
#
set timezone 26
set traffic-priority tos 
set traffic-priority-level medium 
set two-factor-email-expiry 60
set two-factor-fac-expiry 60
set two-factor-ftk-expiry 60
set two-factor-ftm-expiry 72
set two-factor-sms-expiry 60
set user-server-cert Fortinet_Factory 
set vdom-admin disable 
set vip-arp-range restricted 
#
# "virtual-server-count" as "wad-worker-count" are
# only available for FG-60E.
#
set virtual-server-count 2
set wad-worker-count 2
set wifi-ca-certificate Fortinet_Wifi_CA 
set wifi-certificate Fortinet_Wifi 
set wimax-4g-usb disable 
set wireless-controller enable 
set wireless-controller-port 5246
set fds-statistics-period 60
end
###########################
# System Settings
###########################
config system settings
set opmode nat 
set inspection-mode proxy 
set http-external-dest fortiweb 
set firewall-session-dirty check-all 
set bfd disable 
set utf8-spam-tagging enable 
set wccp-cache-engine disable 
set vpn-stats-log  ipsec pptp l2tp ssl 
set vpn-stats-period 600
set v4-ecmp-mode source-ip-based 
set snat-hairpin-traffic enable 
set dhcp-proxy disable 
set central-nat disable 
set gui-default-policy-columns "#" "policyid" "srcintf" "dstintf" "srcaddr" "dstaddr" "schedule" "service" "groups" "action" "nat" "logtraffic" "profile" "bytes" "packets" "hit_count"
set lldp-transmission global 
set asymroute disable 
set asymroute-icmp disable 
set tcp-session-without-syn disable 
set ses-denied-traffic disable 
set strict-src-check disable 
set asymroute6 disable 
set asymroute6-icmp disable 
set sip-helper disable 
set sip-nat-trace disable 
set status enable 
set sip-tcp-port  5060
set sip-udp-port 5060
set sccp-port 2000
set multicast-forward enable 
set multicast-ttl-notchange disable 
set allow-subnet-overlap disable 
set deny-tcp-with-icmp disable 
set ecmp-max-paths 10
set discovered-device-timeout 28
set email-portal-check-dns enable 
set default-voip-alg-mode kernel-helper-based 
set gui-icap disable 
set gui-implicit-policy enable 
set gui-dns-database enable 
set gui-load-balance disable 
set gui-multicast-policy enable 
set gui-dos-policy enable 
set gui-object-colors enable 
set gui-replacement-message-groups enable 
set gui-voip-profile enable
set gui-ap-profile enable 
set gui-dynamic-profile-display disable 
set gui-ipsec-manual-key disable 
set gui-local-in-policy enable 
set gui-explicit-proxy disable 
set gui-dynamic-routing enable 
set gui-dlp enable 
set gui-sslvpn-personal-bookmarks disable
set gui-sslvpn-realms enable 
set gui-policy-based-ipsec disable 
set gui-threat-weight enable 
set gui-multiple-utm-profiles enable 
set gui-spamfilter enable 
set gui-application-control enable 
set gui-casi disable 
set gui-ips enable 
set gui-endpoint-control disable  
set gui-dhcp-advanced enable 
set gui-vpn enable 
set gui-wireless-controller enable 
set gui-switch-controller disable 
set gui-fortiap-split-tunneling enable 
set gui-webfilter-advanced enable 
set gui-traffic-shaping enable 
set gui-wan-load-balancing disable 
set gui-antivirus enable 
set gui-webfilter enable 
set gui-dnsfilter disable 
set gui-waf-profile disable 
set gui-fortiextender-controller disable 
set gui-advanced-policy enable 
set gui-allow-unnamed-policy enable 
set gui-email-collection disable 
set gui-domain-ip-reputation enable 
set gui-multiple-interface-policy enable 
set compliance-check enable 
set ike-session-resume disable 
set ike-quick-crash-detect disable
end
###########################
# System Settings Central-Management
###########################
config system central-management 
set mode normal 
set type fortimanager
set schedule-config-restore enable 
set schedule-script-restore enable 
set allow-push-configuration enable 
set allow-pushd-firmware enable 
set allow-remote-firmware-upgrade enable 
set allow-monitor enable 
set fmg "3.3.3.3"
unset fmg-source-ip
unset fmg-source-ip6
set vdom root 
#config server-list
#edit 1
#set server-type upate 
#set addr-type ipv4 
#server-address 0.0.0.0
#end
set include-default-servers enable 
set enc-algorithm high
end
###########################
# System Settings Admin ("admin" User)
###########################
config system admin
edit admin
set remote-auth disable 
set peer-auth disable 
unset trusthost1
unset trusthost2
unset trusthost3
unset trusthost4
unset trusthost5
unset trusthost6
unset trusthost7
unset trusthost8
unset trusthost9
unset trusthost10
unset ip6-trusthost1
unset ip6-trusthost2
unset ip6-trusthost3
unset ip6-trusthost4
unset ip6-trusthost5
unset ip6-trusthost6
unset ip6-trusthost7
unset ip6-trusthost8
unset ip6-trusthost9
unset ip6-trusthost10
set accprofile "super_admin"
set vdom "root"
unset ssh-public-key1 
unset ssh-public-key2
unset ssh-public-key3
unset ssh-certificate
unset schedule
set two-factor disable 
unset email-to
set sms-server fortiguard 
unset sms-phone
set guest-auth disable 
set password only4mydomain1!
set allow-remove-admin-session enable 
next
end
###########################
# System Settings Admin (Configure "admin" Dashboard)
###########################
config system admin
edit admin
config dashboard
edit 1
set widget-type sysinfo
set name ''
set column 1
set status open
next
edit 2
set widget-type licinfo
set name ''
set column 1
set status open
next
edit 3
set widget-type jsconsole
set name ''
set column 1
set status open
next
edit 8
set widget-type analytics
set name ''
set column 1
set status open
next 
edit 4
set widget-type sysres
set name ''
set column 2
set time-period 720
set chart-color 1
set view-type real-time
set status open
next
edit 7
set widget-type sysop
set name ''
set column 2
set status open
next
edit 9
set widget-type tr-history
set name ''
set column 2
set interface "wan1"
set tr-history-period1 3600
set tr-history-period2 86400
set tr-history-period3 604800
set refresh enable
set status open
next
edit 6
set widget-type alert
set name ''
set column 2
set top-n 10
set status open
set show-system-restart enable
set show-conserve-mode enable
set show-firmware-change enable
set show-fds-update enable
set show-device-update enable
set show-fds-quota enable
set show-disk-failure enable
set show-power-supply enable
set show-admin-auth enable
set show-fgd-alert disable
set show-fcc-license enable
set show-policy-overflow enable
next
end
end
###########################
# System Settings Admin ("FMG-Admin-mydomain1" FortiManager User)
###########################
config system admin
edit "FMG-Admin-mydomain1"
set comments "Administrator to be used for FortiManager"
set remote-auth disable 
set peer-auth disable 
set trusthost1 3.3.3.3 255.255.255.255
unset trusthost2
unset trusthost3
unset trusthost4
unset trusthost5
unset trusthost6
unset trusthost7
unset trusthost8
unset trusthost9
unset trusthost10
unset ip6-trusthost1
unset ip6-trusthost2
unset ip6-trusthost3
unset ip6-trusthost4
unset ip6-trusthost5
unset ip6-trusthost6
unset ip6-trusthost7
unset ip6-trusthost8
unset ip6-trusthost9
unset ip6-trusthost10
set accprofile "super_admin"
set vdom "root"
unset ssh-public-key1 
unset ssh-public-key2
unset ssh-public-key3
unset ssh-certificate
unset schedule
set two-factor disable 
unset email-to
set sms-server fortiguard 
unset sms-phone
set guest-auth disable 
set password only4mydomain1!
set allow-remove-admin-session enable 
next
end
###########################
# System Settings DDNS
###########################
config system ddns
edit 1
set monitor-interface "wan1"
set ddns-server FortiGuardDDNS
set ddns-domain "mydomain1-sg0e0.fortidyndns.com"
set use-public-ip disable 
next
end
###########################
# System Settings DNS
###########################
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set domain "mydomain1.local"
unset ip6-primary
unset ip6-secondary
set dns-cache-limit 5000
set dns-cache-ttl 1800
set cache-notfound-responses disable
unset source-ip 
end
###########################
# System Settings NTP
###########################
config system ntp
set ntpsync enable
set type custom
set syncinterval 360
#set server-mode enable
#set interface "internal"
config ntpserver
edit 1
set server "ch.pool.ntp.org"
set ntpv3 disable 
next
end
end
###########################
# System Settings FortiGuard
###########################
config system fortiguard
set port 8888 
set load-balance-servers 1
set auto-join-forticloud disable 
set antispam-force-off disable 
set antispam-cache enable 
set antispam-cache-ttl 1800
set antispam-cache-mpercent 2
set antispam-timeout 7
set webfilter-force-off disable 
set webfilter-cache enable 
set webfilter-cache-ttl 7200
set webfilter-timeout 15
unset sdns-server-ip  
set sdns-server-port 53
unset source-ip
unset source-ip6
unset ddns-server-ip
set ddns-server-port 443
end
###########################
# System Settings Console
###########################
config system console
set mode line 
set baudrate 9600
set output more 
set login enable 
#
# FortiExplorer USB Mgmt. access will be disabled:
#
set fortiexplorer disable
end
###########################
# System Settings Auto-Install
###########################
#
# Deactivate auto-install-config/image from USB disk.
#
config system auto-install 
set auto-install-config disable 
set auto-install-image disable  
set default-config-file fgt_system.conf 
set default-image-file image.out 
end
###########################
# System Settings Autoupdate Schedule
###########################
#
# Activate updates for fortiguard.
#
config system autoupdate schedule
set status enable 
set frequency every 
#
# If "frequency" is set to weekly define one "day"
#
#set day Monday
#
set time 02:00
end
###########################
# System Settings Push Updates
###########################
#
# Deactivate push updates for fortiguard.
#
config system autoupdate push-update 
set status disable
unset address
set override disable 
set port 9443
end
###########################
# System Network-Visibility
###########################
config system network-visibility 
set destination-visibility enable
set source-location enable
set destination-hostname-visibility enable
set hostname-ttl 86400
set hostname-limit 5000
set destination-location enable
end